Fixes in security

2025-11-05 13:24:17 +01:00 · 2025-11-05 13:24:17 +01:00 · 849cb07b7b
commit 849cb07b7b
parent a7c29c0d38
4 changed files with 55 additions and 20 deletions
--- a/paramecio2/modules/admin/libraries/admin_auth.py
+++ b/paramecio2/modules/admin/libraries/admin_auth.py
@ -1,6 +1,13 @@
 from flask import g, request, redirect, session, url_for
 from paramecio2.libraries.db.webmodel import WebModel
 from settings import config
+from paramecio2.libraries.db.extrafields.passwordfield import PasswordField
+from paramecio2.libraries.i18n import I18n, PGetText
+
+try:
+    import ujson as json
+except:
+    import json

 modules_access=[]

@ -14,19 +21,47 @@ def admin_prepare():
            
            if 'remember_login_admin' in request.cookies:
                
-                with g.connection.query('select count(id) as count_id from useradmin where token_login=%s', [request.cookies['remember_login_admin']]) as cursor:
+                try:
+                
+                    arr_cookie=json.loads(request.cookies['remember_login_admin'])
                    
-                    arr_count=cursor.fetchone()
-
-                    if arr_count['count_id']==0:
+                except:
+                    
+                    arr_cookie=(0, '')
+                    
+                #print(arr_cookie)
+                #with g.connection.query('select count(id) as count_id from useradmin where token_login=%s', [request.cookies['remember_login_admin']]) as cursor:
+                with g.connection.query('select id, token_login, dark_theme from useradmin where id=%s', [arr_cookie[0]]) as cursor:
+                    
+                    arr_user=cursor.fetchone()
+                    
+                    if arr_user:
+                    
+                        passfield=PasswordField('token_login')
                        
-                        url_redirect=config.domain_url+url_for('admin_app.login', _external=False)
-                        
-                        return redirect(url_redirect)   
+                        if passfield.verify(arr_cookie[1], arr_user['token_login']):
+                            
+                            session['login_admin']=True
+                            session['user_id']=arr_user['id']
+                            
+                            if arr_user['dark_theme']:
+                                session['theme']='1'
+                            else:
+                                session['theme']='0'
+                            
+                            session['lang']=arr_user.get('lang', I18n.default_lang)
+                            
+                        else:
+                            
+                            url_redirect=config.domain_url+url_for('admin_app.logout', _external=False)
+                            
+                            return redirect(url_redirect)   
                    else:
                        
-                        session['login_admin']=True
-            
+                        url_redirect=config.domain_url+url_for('admin_app.logout', _external=False)
+                            
+                        return redirect(url_redirect)   
+                        
            else:
                
                url_redirect=config.domain_url+url_for('admin_app.login', _external=False)